Universal Blind Quantum Computation 

Anne Broadbent^, Joseph Fitzsimons^'^, Elham Kashefi ^ * 



Q ■ Abstract 

(N 

Q I We present a protocol which ahows a chent to have a server carry out a quantum com- 

Q ' putation for her such that the chent's inputs, outputs and computation remain perfectly 
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private, and where she does not require any quantum computational power or mem- 
ory. The client only needs to be able to prepare single qubits randomly chosen from a 
finite set and send them to the server, who has the balance of the required quantum 
^S^ ■ computational resources. Our protocol is interactive: after the initial preparation of 

^~-*, quantum states, the client and server use two-way classical communication which en- 

■y I ables the client to drive the computation, giving single-qubit measurement instructions 

C^ ■ to the server, depending on previous measurement outcomes. Our protocol works for 

^ |. inputs and outputs that are either classical or quantum. We give an authentication 

protocol that allows the client to detect an interfering server; our scheme can also be 
_ made fault-tolerant. 

m ■ 

^ I We also generalize our result to the setting of a purely classical client who communicates 

classically with two non-communicating entangled servers, in order to perform a blind 
quantum computation. By incorporating the authentication protocol, we show that any 
problem in BQP has an entangled two-prover interactive proof with a purely classical 

t"^~- ' verifier. 

O, 

00 , Our protocol is the first universal scheme which detects a cheating server, as well as 

^^ ■ the first protocol which does not require any quantum computation whatsoever on the 

client's side. The novelty of our approach is in using the unique features of measurement- 

k>( I based quantum computing which allows us to clearly distinguish between the quantum 

Vh ' and classical aspects of a quantum computation. 
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1 Introduction 

When the technology to build quantum computers becomes available, it is likely that it will only 
be accessible to a handful of centers around the world. Much like today's rental system of super- 
computers, users will probably be granted access to the computers in a limited way. How will a user 
interface with such a quantum computer? Here, we consider the scenario where a user is unwilling 
to reveal the computation that the remote computer is to perform, but still wishes to exploit this 
quantum resource. More precisely, we give a protocol that allows a client Alice (who does not have 
any quantum computational resources or quantum memory) to interact with a server Bob (who 
has a quantum computer) in order for Alice to obtain the outcome of her target computation such 
that privacy is preserved. This means that Bob learns nothing about Alice's inputs, outputs, or 
desired computation. The privacy is perfect, does not rely on any computational assumptions, and 
holds no matter what actions a cheating Bob undertakes. Alice only needs to be able to prepare 
single qubits randomly chosen from a finite set and send them to the server, who has the balance 
of the required quantum computational resources. After this initial preparation, Alice and Bob use 
two-way classical communication which enables Alice to drive the computation by giving single- 
qubit measurement instructions to Bob, depending on previous measurement outcomes. Note that 
if Alice wanted to compute the solution to a classical problem in NP, she could efficiently verify 
the outcome. An interfering Bob is not so obviously detected in other cases. We give an authenti- 
cation technique which performs this detection. In order to make the protocol closer to practical 
implementations, we show how our scheme can be made fault-tolerant. Along the way, we also give 
a new universal family of graph states, the brickwork states which, unlike the cluster states, only 
require {X, y)-plane measurements. 

Our protocol can be used for any quantum circuit and also works for quantum inputs or outputs. 
We now give some applications. 

• Factoring. Factoring is a prime application of our protocol: by implementing Shor's factoring 
algorithm [32] as a blind quantum computation, Alice can use Bob to help her factor a product 
of large primes which is associated with an RS A public key [31] . Thanks to the properties of 
our protocol. Bob will not only be unable to determine Alice's input, but will be completely 
oblivious to the fact that he is helping her factor. 

• BQP-complete problem. Our protocol could be used to help Alice solve a BQP-complete 
problem, for instance approximating the Jones polynomial [3J. There is no known classical 
method to efficiently verify the solution; this motivates the need for authentication of Bob's 
computation, even in the case that the output is classical. 

• Processing quantum information. Alice may wish to use Bob as a remote device to manipulate 
quantum information. Consider the case where Alice is participating in a quantum protocol 
such as a quantum interactive proof. She can use our protocol to prepare a quantum state, to 
perform a measurement on a quantum system, or to process quantum inputs into quantum 
outputs. 

Our results also have direct applications to the domain of the complexity theory. 

• Quantum prover interactive proofs. Our scheme can be used to accomplish an interactive 
proof for any language in BQP, with a quantum prover and a nearly-classical verifier. The 
first interactive proof given explicitly in this scenario was proposed by Aharonov, Ben-Or and 
Eban [2] after a pre-print of our paper appeared. In our early paper we did not consider the 
interactive proof scenario, however our protocol implicitly proposed an interactive proof for 



any language in BQP with a quantum prover and where the verifier requires the power to 
generate random qubits chosen from a fixed set, whereas the scheme in [2] requires a verifier 
with significantly more quantum power. 

• Multi-prover interactive proofs. Our protocol can be adapted to provide a two-prover interac- 
tive proof for any problem in BQP with a purely classical verifier. The modification requires 
that the provers share entanglement but otherwise be unable to communicate. Guided by 
the verifier, the first prover measures his part of the entanglement in order to create a shared 
resource between the verifier and the second prover. The remainder of the interaction involves 
the verifier and the second prover who essentially run our main protocol. 

1.1 Related work 

In the classical world, Feigenbaum introduced the notion of computing with encrypted data J17j . 
according to which a function / is encryptahle if Alice can easily transform an instance x into 
instance x' , obtain f{x') from Bob and efficiently compute f{x) from f{x'), in such a way that 
Bob cannot infer x from x' . Following this, Abadi, Feigenbaum and Kilian [1] gave an impossibility 
result: no NP-hard function can be computed with encrypted data (even probabilistically and with 
polynomial interaction), unless the polynomial hierarchy collapses at the third level. 

Ignoring the blindness requirement of our protocol yields an interactive proof with a BQP 
prover and a nearly-classical verifier. As mentioned, this scenario was first proposed in the work 
of [2], using very different techniques based on authentication schemes. Their protocol can be also 
used for blind quantum computation. However, their scheme requires that Alice have quantum 
computational resources and memory to act on a constant-sized register. A related classical protocol 
for the scenario involving a P prover and a nearly-linear time verifier was given in [18j . 

Returning to the cryptographic scenario, still in the model where the function is classical and 
public, Arrighi and Salvail [7] gave an approach using quantum resources. The idea of their protocol 
is that Alice gives Bob multiple quantum inputs, most of which are decoys. Bob applies the target 
function on all inputs, and then Alice verifies his behaviour on the decoys. There are two important 
points to make here. First, the protocol only works for a restricted set of classical functions called 
random verifiable: it must be possible for Alice to efficiently generate random input-output pairs. 
Second, the protocol does not prevent Bob from learning Alice's private input; it provides only 
cheat sensitivity. 

The case of a blind quantum computation was first considered by Childs [12] based on the 
idea of encrypting input qubits with a quantum one-time pad [5l [10]. At each step, Alice sends 
the encrypted qubits to Bob, who applies a known quantum gate (some gates requiring further 
interaction with Alice). Bob returns the quantum state, which Alice decrypts using her key. Cycling 
through a fixed set of universal gates ensures that Bob learns nothing about the circuit. The protocol 
requires fault-tolerant quantum memory and the ability to apply local Pauli operators at each step, 
and does not provide any method for the detection of malicious errors. 

1.2 Contributions and Techniques 

We present the first protocol for universal blind quantum computation where Alice has no quantum 
memory. Our protocol works for any quantum circuit and assumes Alice has a classical computer, 
augmented with the power to prepare single qubits randomly chosen in 

{1/^2 (|0) + e^^ |1)) I ^ = 0, tt/4, 27r/4, . . . , Tvr/l} . 



The required quantum and classical communication between Alice and Bob is linear in the size of 
Alice's desired quantum circuit. 

Interestingly, it is sufficient for our purposes to restrict Alice's classical computation to modulo 8 
arithmetic! Similar observations in a non-cryptographic context have been made in [6]. Except 
for an unavoidable leakage of the size of Alice's data [Ij, Alice's privacy is perfect. We provide 
an authentication technique to detect an interfering Bob with overwhelming probability; this is 
optimal since there is always an exponentially small probability that Bob can guess a path that will 
make Alice accept. We also show how the protocol can be made fault-tolerant. Furthermore, we 
extend our result to the domain of interactive proof systems: we prove that any problem in BQP 
has an interactive proof system with two entangled provers and a purely classical verifier. 

All previous protocols for blind quantum computation require technology for Alice that is today 
unavailable: Arrighi and Salvail's protocol requires multi-qubit preparations and measurements, 
Childs' protocol requires fault-tolerant quantum memory and the ability to apply local Pauli oper- 
ators at each step, while Aharonov, Ben-Or and Eban's protocol requires a constant-sized quantum 
computer with memory. In sharp contrast to this, from Alice's point of view, our protocol can be 
implemented with physical systems that are already available and well-developed. The required 
apparatus can be achieved by making only minor modifications to equipment used in the BB84 key 
exchange protocol [9]. Single nitrogen vacancy centers in diamond, for example, offer the necessary 
functionality and can be used even at room temperature, removing the necessity for cumbersome 
equipment such as cryostats pO] . 

Our protocol is described in terms of the measurement-based model for quantum computation 
(MBQC) [281 I29j . While the computational power of this model is the same as in the quantum 
circuit model [l6| (and our protocol could be completely recast into this model), it has proven to 
be conceptually enlightening to reason about the distributed task of blind quantum computation 
using this approach. The novelty of our approach is in using the unique feature of MBQC that 
separates the classical and quantum parts of a computation, leading to a generic scheme for blind 
computation of any circuit without requiring any quantum memory for Alice. This is fundamentally 
different from previously known classical or quantum schemes. Our protocol can be viewed as a 
distributed version of an MBQC computation (where Alice prepares the individual qubits. Bob does 
the entanglement and measurements, and Alice computes the classical feedforward mechanism), 
on top of which randomness is added in order to obscure the computation from Bob's point of 
view. The family of graph states called cluster states [28] is universal for MBQC {graph states 
are initial entangled states required for the computation in MBQC). However, the method that 
allows arbitrary computation on the cluster state consists in first tailoring the cluster state to the 
specific computation by performing some computational basis measurements. If we were to use this 
principle for blind quantum computing, Alice would have to reveal information about the structure 
of the underlying graph state. We introduce a new family of states called the brickwork states 
(Figure [T|) which are universal for X — Y plane measurements and thus do not require the initial 
computational basis measurements. Other universal graph states for that do not require initial 
computational basis measurements have appeared in [13j. 

To the best of our knowledge, this is the first time that a new functionality has been achieved 
thanks to MBQC (other theoretical advances due to MBQC appear in [301 [25]). From a conceptual 
point of view, our contribution shows that MBQC has tremendous potential for the development 
of new protocols, and maybe even of algorithms. 



1.3 Outline of Protocols 

The outline of the main protocol is as follows. Alice has in mind a quantum computation given as 
a measurement pattern on a brickwork state. There are two stages: preparation and computation. 
In the preparation stage, Alice prepares single qubits chosen randomly from {l/-v/2 (|0) + e |1)) | 
9 = 0, it/4:, 27r/4, . . . , 77r/4} and sends them to Bob. After receiving all the qubits, Bob entangles 
them according to the brickwork state. Note that this unavoidably reveals upper bounds on the 
dimensions of Alice's underlying graph state, that correspond to the length of the input and depth 
of the computation. However, due to universality of the brickwork state, it does not reveal any 
additional information on Alice's computation. The computation stage involves interaction: for 
each layer of the brickwork state, for each qubit, Alice sends a classical message to Bob to tell him 
in which basis of the X — Y plane he should measure the qubit. Bob performs the measurement and 
communicates the outcome; Alice's choice of angles in future rounds will depend on these values. 
Importantly, Alice's quantum states and classical messages are astutely chosen so that, no matter 
what Bob does, he cannot infer anything about her measurement pattern. If Alice is computing 
a classical function, the protocol finishes when all qubits are measured. If she is computing a 
quantum function. Bob returns to her the final qubits. A modification of the protocol also allows 
Alice's inputs to be quantum. 

We give an authentication technique which enables Alice to detect an interfering Bob with 
overwhelming probability (strictly speaking, either Bob's interference is corrected and he is not de- 
tected, or his interference is detected with overwhelming probability). The authentication requires 
that Alice encode her input into an error correction code and choose an appropriate fault-tolerant 
implementation of her desired computation. She also uses some qubits as traps; they are prepared 
in the eigenstates of the Pauli operators X, Y and Z. 

The remainder of the paper is structured as follows: the main protocol is given in Section [21 
where universality, correctness and blindness are proven. Section [3] discusses extensions to the case 
of quantum inputs or outputs; authentication techniques that are used to detect an interfering Bob 
and perform fault-tolerant computations are in Section [H while Section [5] presents the two-server 
protocol with a purely classical Alice. The reader unfamiliar with MBQC is referred to a short 
introduction in Appendix[Al Appendix[B] contains a universality proof of the brickwork states that 
is lengthy due to its figures. 

2 Main Protocol 

Suppose Alice has in mind a unitary operator U that is implemented with a pattern on a brickwork 
state Gnxm (Figured]) with measurements given as multiples of 7r/4. This pattern could have been 
designed either directly in MBQC or from a circuit construction. Each qubit \ipx,y) £ Gnxm is 
indexed by a column x £ {1, . . . ,n} and a row y £ {!,... ,m}. Thus each qubit is assigned: a 
measurement angle (j)x,y, a set of X-dependencies D^^y ^ [x — 1] x [m], and a set of Z-dependencies 
D'^y C [x — 1] X [m] . Here, we assume that the dependency sets X^^y and Z^^y are obtained via 
the flow construction |14j . During the execution of the pattern, the actual measurement angle (j)'^ 
is a modification of (j)x,y that depends on previous measurement outcomes in the following way: 
let s-^ = ®ieDx,ySi be the parity of all measurement outcomes for qubits in X^^y and similarly, 
^x,y — ®i^D'x ^i ^^ ^^^ parity of all measurement outcomes for qubits in Zx^y Then (p'^ = 

{—iy=''ycl)x,y + s^yTT ■ Protocol [1] implements a blind quantum computation for U. Note that 
we assume that Alice's input to the computation is built into U. In other words, Alice wishes to 
compute U |0), her input is classical and the first layers of U may depend on it. 



Protocol 1 Universal Blind Quantum Computation 



1. Alice's preparation 

For each column x = 1, . . . ,n 
For each row y = 1, . . . ,m 



1.1 Alice prepares iV'x.j/) £r {|+e,,,> = ^(|0) + e*^--'' |1)) | 9cc,y = 0, 7r/4, . . . , 77r/4} and 
sends the qubits to Bob. 

2. Bob's preparation 

2.1 Bob creates an entangled state from all received qubits, according to their indices, by 
applying ctrl-Z gates between the qubits in order to create a brickwork state Gnxm 
(see Definition [1]) . 

3. Interaction and measurement 

For each column x = 1, . . . , n 
For each row y = 1, . . . ,m 



3.1 Alice computes 



'^'x,y where s^y 



^0,y 



0. 



x,y 



^x,y 



+ 



'x,y 



+ vrr. 



3.2 Alice chooses r^^y £b. {0, 1} and computes 6^ 

3.3 Alice transmits 6x,y to Bob. Bob measures in the basis {|+(5^y) 

3.4 Bob transmits the result Sx^y G {0, 1} to Alice. 

3.5 If rx^y = 1 above, Alice flips Sx,y', otherwise she does nothing. 
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)}■ 
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Figure 1: The brickwork state, Gnxm- Qubits \'ipx,y) {x = 1, 



,n,y 



1, . . . , m) are arranged 



according to layer x and row y, corresponding to the vertices in the above graph, and are originally 
in the |+) = -i= |0) + 4= |1) state. Controlled-Z gates are then performed between qubits which 
are joined by an edge. 



The universality of Protocol [T] follows from the universality of brickwork state (defined below) 
for measurement-based quantum computing. 

Definition 1. A brickwork state Gnxmj where m = 5 (mod 8), is an entangled state of n x m 
qubits constructed as follows (see also Figure\^: 

1. Prepare all qubits in state |+) and assign to each qubit an index {i,j), i being a column 
(i £ [n]) and j being a row (j G [m]). 

2. For each row, apply the operator CTRL-Z on qubits {i,j) and {i,j + 1) where 1 < j < m — 1. 

3. For each column j = 3 (mod 8) and each odd row i, apply the operator CTRL-Z on qubits 
{i,j) and [i + 1, j) and also on qubits {i,j + 2) and [i -|- l,j -|- 2). 

4.. For each column j = 7 (mod 8) and each even row i, apply the operator CTRL-Z on qubits 
{i,j) and (i + l,j) and also on qubits {i,j + 2) and [i -|- 1, j -|- 2). 

The proof of the following theorem is relegated to Appendix [Bl 

Theorem 1 (Universality). The brickwork state Gnxm is universal for quantum computation. Fur- 
thermore, we only require single-qubit measurements under the angles {0, ib7r/4, ib7r/2}, and mea- 
surements can be done layer-by-layer. 

In this work, we only consider approximate universality. This allows us to restrict the angles 
of preparation and measurement to a finite set and hence simplify the description of the protocol. 
However one can easily extend our protocol to achieve exact universality as well, provided Alice 
can communicate real numbers to Bob. 

Correctness refers to the fact that the outcome of the protocol is the same as the outcome 
if Alice had run the pattern herself. The fact that Protocol [1] correctly computes C/|0) follows 
from the commutativity of Alice's rotations and Bob's measurements in the rotated bases. This is 
formalized below. 

Theorem 2 (Correctness). Assume Alice and Bob follow the steps of Protocol [ij Then the 
outcome is correct. 

Proof. Firstly, since ctrl-Z commutes with Z-rotations, steps[T]and[2]do not change the underlying 
graph state; only the phase of each qubit is locally changed, and it is as if Bob had done the Z- 
rotation after the ctrl-Z. Secondly, since a measurement in the |-|-^) , \—^) basis on a state \ip) 
is the same as a measurement in the |+</)+6») , \—4>+e) basis on Z{9) |^), and since 5 = (j)' + 6 + -nr, 
if r = 0, Bob's measurement has the same effect as Alice's target measurement; if r = 1, all Alice 
needs to do is flip the outcome. D 

We now define and prove the security of the protocol. Intuitively, we wish to prove that whatever 
Bob chooses to do (including arbitrary deviations from the protocol), his knowledge on Alice's 
quantum computation does not increase. Note, however that Bob does learn the dimensions of the 
brickwork state, giving an upper bound on the size of Alice's computation. This is unavoidable: a 
simple adaptation of the proof of Theorem 2 from [Ij , confirms this. We incorporate this notion of 
leakage in our definition of blindness. A quantum delegated computation protocol is a protocol by 
which Alice interacts quantumly with Bob in order to obtain the result of a computation, U{x), 
where X = (U, x) is Alice's input with U being a description of U. 



Definition 2. Let P he a quantum delegated computation on input X and let L{X) be any function 
of the input. We say that a quantum delegated computation protocol is blind while leaking at most 
L(X) if, on Alice's input X, for any fixed Y = L{X), the following two hold when given Y : 

1. The distribution of the classical information obtained by Boh in P is independent of X. 

2. Given the distribution of classical information described inUi the state of the quantum system 
obtained by Bob in P is fixed and independent of X. 

Definition [2] captures the intuitive notion that Bob's view of the protocol should not depend 
on X (when given Y); since his view consists of classical and quantum information, this means 
that the distribution of the classical information should not depend on X (given Y) and that for 
any fixed choice of the classical information, the state of the quantum system should be uniquely 
determined and not depend on X (given Y). We are now ready to state and prove our main 
theorem. Recall that in Protocol [Tl (n, m) is the dimension of the brickwork state. 

Theorem 3 (Blindness). Protocol[l\ is blind while leaking at most (n,m). 

Proof. Let (n, m) (the dimension of the brickwork state) be given. Note that the universality of 
the brickwork state guarantees that Bob's creating of the graph state does not reveal anything on 
the underlying computation (except n and m). 
Alice's input consists of 

(/)= {(l>x,y I X G [n],y e [m]) 

with the actual measurement angles 

4>' = {4>'x,y \xe[n],ye[m]) 

being a modification of (j) that depends on previous measurement outcomes. Let the classical 
information that Bob gets during the protocol be 

6 = {6x,y I X e [n],y £ [m]) 

and let A be the quantum system initially sent from Alice to Bob. 

To show independence of Bob's classical information, let 9'^ = O^^y + T^'''x,y (for a uniformly 
random chosen O^^y) and 6' = {O'^-y | x S [n], y G [m]). We have 5 = 4)' + 9', with 6' being uniformly 
random (and independent of (j) and/or (p'), which implies the independence of 6 and (p. 

As for Bob's quantum information, first fix an arbitrary choice of d. Because rx,y is uniformly 
random, for each qubit of A, one of the following two has occurred: 

1. rx,y = so 6x,y = (\^'x,y + C,y aud \i,x,y) = ^(|0) + e^('5-.«-<^i..) |1). 

2. rx,y = 1 so 5x,y = cp'x,y + e'^^y + TT and |Vx,y) = ^(|0) - e'^^-^y-^'^-y^ |1). 

Since 5 is fixed, 9' depends on (j)' (and thus on (j)), but since rx^y is independent of everything else, 
without knowledge of rx^y (i.e. taking the partial trace of the system over Alice's secret), A consists 
of copies of the two-dimensional completely mixed state, which is fixed and independent of (j). D 

There are two malicious scenarios that are covered by Definition [2] and that we explicitly mention 
here. Suppose Bob has some prior knowledge, given as some a priori distribution on Alice's input X. 
Since Definition [2] applies to any distribution of X, we can simply apply it to the conditional 
distribution representing the distribution of X given Bob's a priori knowledge; we conclude that 
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Bob does not learn any information on X beyond what he already knows, as well as what is leaked. 
The second scenario concerns a Bob whose goal it is to find Alice's output. Definition [2] forbids 
this: learning information on the output would imply learning information on Alice's input. 

Note that the protocol does not allow Alice to reveal to Bob whether or not she accepts the result 
of the computation as this bit of information could be exploited by Bob to learn some information 
about the actual computation. In this scenario, Protocol |4] can be used instead. 

3 Quantum Inputs and Outputs 

We can slightly modify Protocol [1] to deal with both quantum inputs and outputs. In the former 
case, no extra channel resources are required, while the latter case requires a quantum channel from 
Bob to Alice in order for him to return the output qubits. Alice will also need to be able to apply 
X and Z Pauli operators in order to undo the quantum one-time pad. Note that these protocols 
can be combined to obtain a protocol for quantum inputs and outputs. 

3.1 Quantum Inputs 

Consider the scenario where Alice's input is the form of m physical qubits and she has no efficient 
classical description of the inputs to be able to incorporate it into Protocol [TJ In this case, she 
needs to be able to apply local Pauli-X and Pauli-Z operators to implement a full one-time pad 
over the input qubits. The first layer of measurements are adapted to undo the Pauli-X operation 
if necessary. By the quantum one-time pad. Theorem [2] and Theorem [3l this modified protocol, 
given in Protocol [2] is still correct and private. 

Here we assume that Alice already has in her hands the quantum inputs: unless she receives 
the inputs one-by-one, she requires for this initial step some quantum memory. She also needs to 
be able to apply the single-qubit gates as described above. Note that this is only asking slightly 
more than Alice choosing between four single-qubit gates, which would be the minimum required 
in any blind quantum computation protocol with quantum inputs. 

3.2 Quantum Outputs 

Suppose Alice now requires a quantum output, for example in the case of blind quantum state 
preparation. In this scenario, instead of measuring the last layer of qubits. Bob returns it to Alice, 
who performs the final layer of Pauli corrections. The following theorem shows a privacy property 
on the quantum states that Bob manipulates. 

Theorem 4. At every step of Protocol[ll Bob's quantum state is one-time padded. 

Proof. During the execution of the protocol the value of s and s are unknown to Bob since they 
have been one-time padded using the random key r at each layer. Due to the flow construction |14] . 
each qubit (starting at the third column) receives independent Pauli operators, which act as the 
full quantum one-time pad over Bob's state. Since our initial state is |+), and since the flrst layer 
performs a hidden Z-rotation, it follows that the qubits in the second layer are also completely 
encrypted during the computation. D 

This result together with Theorems [2] and [3] proves the correctness and privacy of Protocol [3] 
that deals with quantum outputs. 



Protocol 2 Universal Blind Quantum Computation with Quantum Inputs 

1. Alice's input preparation 

For the input column (a; = 0, y = 1, . . . , m) corresponding to Alice's input 

1.1 Alice applies Zo^y{6o^y) for 0o,j/ ^R {0, vr/4, 27r/4, . . . , 7it/4}. 

1.2 Alice chooses io,j/ ^R {0, 1} and applies X^^. She sends the qubits to Bob. 

2. Alice's auxiliary preparation 

For each column x = 1, . . . ,n 
For each row y = 1, . . . ,m 

2.1 Alice prepares \i^x,y) ^R {\+0x,y) I ^x,y = 0, 7r/4, 27r/4, . . . ,7tt/4} and sends the qubits 
to Bob. 

3. Bob's preparation 

3.1 Bob creates an entangled state from all received qubits, according to their indices, by 
applying ctrl-Z gates between the qubits in order to create a brickwork state G(n+i)xm.- 

4. Interaction and measurement 

For each column x = 0, . . . ,n 
For each row y = 1, . . . ,m 

4.1 Alice computes 0' with the special case (pQ = {—ly^'ycpo^y. 

4.2 Alice chooses r^^y £r {0, 1} and computes 5x,y = (j)'j.^y + 9x,y + '^i"x,y ■ 

4.3 Alice transmits 6x,y to Bob. 

4.4 Bob measures in the basis {|+5^_y) , |-5^,y)}- 

4.5 Bob transmits the result Sx^y G {0, 1} to Alice. 

4.6 If Vx^y = 1 above, Alice flips Sx,y', otherwise she does nothing. 



Protocol 3 Universal Blind Quantum Computation with Quantum Outputs 

1. Alice's auxiliary preparation 

For each column x = 1, . . . , n — 1 
For each row y = 1, . . . ,m 

1.1 Alice prepares \i^x,y) ^R il+e^^y) \ &x,y = 0, 7r/4, 27r/4, . . . ,7it/4} and sends the qubits 
to Bob. 

2. Alice's output preparation 

2.1 Alice prepares the last column of qubits \tpn,y) = I +) (y = !)••• > ^ ai^d sends the qubits 
to Bob. 

3. Bob's preparation 

3.1 Bob creates an entangled state from all received qubits, according to their indices, by 
applying CTRL-Z gates between the qubits in order to create a brickwork state Qnxm- 

4. Interaction and measurement 

For each column x = 1, . . . ,n — 1 
For each row y = 1, . . . ,m 

4.1 Alice computes (j)'^ „ where Sq = Sq = for the first column. 

4.2 Alice chooses r^^y £r {0, 1} and computes 5x,y = 4>x,y + ^x,y + ^^x,j/ • 

4.3 Alice transmits bx^y to Bob. 

4.4 Bob measures in the basis {|+5^_y) , |-5^,y)}- 

4.5 Bob transmits the result Sx^y G {0, 1} to Alice. 

4.6 If r^^y = 1 above, Alice flips Sx^y'-, otherwise she does nothing. 

5. Output Correction 

5.1 Bob sends to Alice all qubits in the last layer. 

5.2 Alice performs the final Pauli corrections Z^^'vX^^'V . 
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4 Authentication and Fault-Tolerance 

We now focus on Alice's ability to detect if Bob is not cooperating. There are two possible ways in 
which Bob can be uncooperative: he can refuse to perform the computation (this is immediately 
apparent to Alice), or he can actively interfere with the computation, while pretending to follow 
the protocol. It is this latter case that we focus on detecting. Our authentication technique enables 
Alice to detect an interfering Bob with overwhelming probability (strictly speaking, either Bob's 
interference is corrected and he is not detected, or his interference is detected with overwhelming 
probability). Note that this is the best that we can hope for since nothing prevents Bob from 
refusing to perform the computation. Bob could also be lucky and guess a path that Alice will 
accept. This happens with exponentially small probability, hence our technique is optimal. 

In the case that Alice's computation has a classical output and that she does not require 
fault-tolerance, a simple protocol for blind quantum computing with authentication exists: execute 
Protocol [ll on a modification of Alice's target circuit: she adds A^ randomly placed trap wires that 
are randomly in state |0) or |1) (A^ is the number of qubits in the computation). If Bob interferes, 
either his interference has no effect on the classical output, or he will get caught with probability 
at least ^ (he gets caught if Alice finds that the output of at least one trap wire is incorrect). The 
protocol is repeated s times (the traps are randomly re-positioned each time); if Bob is not caught 
cheating, Alice accepts if all outputs are identical; otherwise she rejects. The probability of an 
incorrect output being accepted is at most 2~^. 

Our contribution. Protocol |4] is more general than this scheme since it works for quantum 
outputs and is fault-tolerant. If the above scheme is used for quantum inputs, they must be 
given to Alice as multiple copies. Similarly (but more realistically), if Protocol [4] is to be used 
on quantum inputs, these must already be given to Alice in an encoded form as in step [2] of 
Protocol |4] (because Alice has no quantum computational power). In the case of a quantum 
output, it will be given to Alice in a known encoded form, which she can pass on to a third party 
for verification. 

The theory of quantum error correction provides a natural mechanism for detecting unintended 
changes to a computation, whereas the theory of fault-tolerant computation provides a way to pro- 
cess information even using error-prone gates. Unfortunately, error correction, even when combined 
with fault-tolerant gate constructions is insufficient to detect malicious tampering if the error cor- 
rection code is known. As evidenced by the quantum authentication protocol [8], error correction 
encodings can, however, be adapted for this purpose. 

Our protocol proceeds along the following lines. Alice chooses an nc-qubit error correction 
code C with distance dc. (The values of nc and dc are taken as security parameters.) If the 
original computation involves N logical qubits, the authenticated version involves N{nc + Sut) 
(with riT = lie), logical qubits: throughout the computation, each logical qubit is encoded with C, 
while the remaining SNtit qubits are used as traps to detect an interfering Bob. The trap qubits 
are prepared as a first step of the computation in eigenstates of the Pauli operators X, Y and Z, 
with an equal number of qubits in each state. 

The protocol also involves fault-tolerant gates, for some of which it is necessary to have Bob 
periodically measure qubits [33]. In order to accomplish this, the blind computation protocol is 
extended by allowing Alice to instruct Bob to measure specific qubits within the brickwork state 
in the computational basis at regular intervals. These qubits are chosen at regular spacial intervals 
so that no information about the structure of the computation is revealed. It should be noted that 
in Protocol [4l we allow Alice to reveal to Bob whether or not she accepts the final result. 

Our protocol can also be used in the scenario of non-malicious faults: because it already uses a 
fault-tolerant construction, the measurement of trap qubits in Protocol |4] allows for the estimation 
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Protocol 4 Blind Quantum Computing with Authentication (classical input and output) 

1. Alice chooses C, where C is some nc-qubit error-correcting code with distance dc. The 
security parameter is dc- 

2. In the circuit model, starting from circuit for U, Alice converts target circuit to fault-tolerant 
circuit: 

2.1 Use error-correcting code C. The encoding appears in the initial layers of the circuit. 

2.2 Perform all gates and measurements fault-tolerantly. 

2.3 Some computational basis measurements are required for the fault-tolerant implemen- 
tation (for verification of ancillae and non-transversal gates). Each measurement is 
accomplished by making and measuring a pseudo-copy of the target qubit: a CTRL-X is 
performed from the target to an ancilla qubit initially set to |0), which is then measured 
in the Z-basis. 

2.4 Ancilla qubit wires are evenly spaced through the circuit. 

2.5 The ancillae are re-used. All ancillae are measured at the same time, at regular intervals, 
after each fault-tolerant gate (some outputs may be meaningless). 

3. Within each encoded qubit, permute all wires, keeping these permutations secret from Bob. 

4. Within each encoded qubit, add Sut randomly interspersed trap wires, each trap being a 
random eigenstate of X, y or Z (n^ of each). For security, we must have ut oc nc; for 
convenience, we choose ut = riQ. The trap qubit wire (at this point) does not interact with 
the rest of the circuit. The wire is initially |0), and then single-qubit gates are used to create 
the trap state. These single-qubit gates appear in the initial layers of the circuit. 

5. Trap qubits are verified using the same ancillae as above: they are rotated into the compu- 
tational basis, measured using the pseudo-copy technique above, and then returned to their 
initial basis. 

6. Any fault-tolerant measurement is randomly interspersed with verification of Srij- random 
trap wires. For this, identity gates are added as required. 

7. For classical output, the trap wires are rotated as a last step, so that the following measure- 
ment in the computational basis is used for a final verification. 

8. Convert the whole circuit above to a measurement-based computation on the brickwork state, 
with the addition of regular Z-basis measurements corresponding to the measurements on 
ancillae qubits above. Swap and identity gates are added as required, and trap qubits are left 
untouched. 

9. Perform the blind quantum computation: 

9.1 Execute Protocol [H to which we add that Alice periodically instructs Bob to measure 
in Z-basis as indicated above. 

9.2 Alice uses the results of the trap qubit measurements to estimate the error rate; if it is 
below the threshold (see discussion in the main text), she accepts, otherwise she rejects. 



12 



of the error rate (whether caused by the environment or by an adversary); if this error rate is below a 
certain threshold (this threshold is chosen below the fault-tolerance threshold to take into account 
sampling errors), Alice accepts the computation. As long as this is below the fault-tolerance 
threshold, an adversary would still have to guess which qubits are part of the code, and which 
are traps, so Theorem [7] also holds in the fault-tolerant version. The only difference is that the 
adversary can set off a few traps without being detected, but he must still be able to correctly guess 
which qubits are in the encoded qubit and which are traps. Increasing the security parameters will 
make up for the fact that Bob can set off a few traps without making the protocol abort. This yields 
a linear trade-off between the error rate and the security parameter. Note that the brickwork state 
(Figured]) can be extended to multiple dimensions, which may be useful for obtaining better fault- 
tolerance thresholds [I9j. While the quantum Singleton bound [24j allows error correction codes 
for which dc oc rac, it may be more convenient to use the Toric Code [23] for which dc oc ,/nc, as 
this represents a rather simple encoding while retaining a high ratio of dc to nc- For the special 
case of deterministic classical output, a classical repetition code is sufficient and preferable as such 
an encoding maximizes nc. 

Theorem 5 (Fault Tolerance). Protocol^ is fault-tolerant. 

Proof. By construction, the circuit created in step 2.1 is fault-tolerant. Furthermore, the per- 
mutation of the circuit wires and insertion of trap qubits (steps 2.2 and 2.3) preserves the fault 
tolerance. This is due to the fact that qubits are permuted only within blocks of constant size. 
The fault-tolerant circuit given in step 2.1 can be written as a sequence of local gates and ctrl-X 
gates between neighbours. Clearly permutation does not affect the fidelity of local operations. As 
qubits which are neighbours in the initial fault-tolerant circuit become separated by less than twice 
the number of qubits in a single block, the maximum number of nearest-neighbour CTRL-X gates 
required to implement CTRL-X from the original circuit is in 0{nc + 3nT) (the size of a block). 
(If required, the multi-dimensional analogue of the two-dimensional brickwork state can be used 
in order to substantially reduce this distance.) As this upper bound is constant for a given imple- 
mentation, a lower bound for the fault-tolerance threshold can be obtained simply be scaling the 
threshold such that the error rate for this worst-case ctrl-X is never more than the threshold for 
the original circuit. Thus, while the threshold is reduced, it remains non-zero. 

Step [8] converts the fault-tolerant circuit to a measurement pattern; it is known that this 
transformation retains the fault-tolerance property [26^ S]. Finally, in step [U distributing the 
fault-tolerant measurement pattern between Alice and Bob does not disturb the fault tolerance 
since the communication between them is only classical. D 

Theorem 6 (Blindness). Protocol^is blind while leaking at most {n,m). 

Proof. Protocol |4] differs from Protocol [1] in the following two ways: Alice instructs Bob to 
perform regular Z-hasis measurements and she reveals whether or not she accepts or rejects the 
computation. It is known that Z measurements change the underlying graph state into a new graph 
state [21] • The Z measurements in the protocol are inserted at regular intervals and their numbers 
are also independent of the underlying circuit computation. Therefore their action transforms the 
generic brickwork state into another generic resource still independent of Alice's input and the 
blindness property is obtained via the same proof of Theorem [3l Finally, from Alice's decision 
to accept or reject, only information relating to the trap qubits is revealed to Bob, since Alice 
rejects if and only if the estimated error rate is too high. The trap qubits are uncorrelated with the 
underlying computation (in the circuit picture, they do not interact with the rest of the circuit) 
and hence they reveal no information about Alice's input. D 
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In the following theorem, for simplicity, we consider the scenario with zero error rate; a proof 
for the full fault-tolerant version is similar. 

Theorem 7 (Authentication). For the zero-error case of Protocol^ if Bob interferes with an 
authenticated computation, then either he is detected except with exponentially small probability (in 
the security parameter), or his actions fail to alter the computation. 

Proof. If Bob interferes with the computation, then in order for his actions to affect the outcome of 
the computation without being detected, he must perform a non-trivial operation (i.e. an operation 
other than the identity) on the subspace in which the logical qubits are encoded. Due to the fault- 
tolerant construction of Alice's computation (Theorem [5]) , Bob's operation must have weight at 
least dc- Due to discretization of errors, we can treat Bob's action as introducing a Pauli error 
with some probability p. 

If a Pauli error acts non-trivially on a trap qubit then the probability of this going undetected 
is 1/3. Pauli operators which remain within the code space must act on at least dc qubits. As Bob 
has no knowledge about the roles of qubits (Theorem [6]), the probability of him acting on any qubit 
is equal. As the probability of acting on a trap is 3nT/{nc + Sny), for each qubit upon which he 
acts non-trivially, the probability of Bob being detected is 2nT/(nc + Sht)- Thus the probability 
of an M-qubit Pauli operator going undetected is below (1 — 2nT/(?i-c + 3nr)) . Since ut = nc 
the minimum probability of Bob affecting the computation and going undetected is e = 2~^. D 

5 Entangled Servers 

As stated before, one can view our protocol as an interactive proof system where Alice acts as the 
verifier and Bob as the prover. An important open problem is to find an interactive proof for any 
problem in BQP with a BQP prover, but with a purely classical verifier. Our Protocol [4] makes 
progress towards finding a solution by providing an interactive proof for any language in BQP, with 
a quantum prover and a BPP verifier that also has the power to generate random qubits chosen 
from a fixed set and send them to the prover. This perspective was first proposed by Aharonov, 
Ben-Or and Eban p], however their scheme demands a more powerful verifier. 

We present in Protocol [5] a solution to another closely related problem, namely the case of a 
purely classical verifier interacting with two non-communicating entangled provers. The idea is to 
adapt Protocol [T] so that one prover (that we now call a server) is used to prepare the random 
qubits that would have been generated by Alice in the original protocol, while the other server is 
used for universal blind quantum computation. Using the authenticated protocol (Protocol |4]) 
between Alice and the second server, Alice will detect any cheating servers as clearly, any cheating 
by Server 1 is equivalent to a deviation from the protocol by Server 2, which is detected in step [2] 
of the protocol, (the proof is directly obtained from Theorem [7]). On the other hand, since Server 2 
has access to only half of each entangled state, from his point of view, his sub-system remains in 
a completely mixed state independently of Server I's actions and the blindness of the protocol is 
obtained directly from Theorem [6l 
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Protocol 5 Universal Blind Quantum Computation with Entangled Servers 
Initially, Servers 1 and 2 share j^^^y) = -TsdOO) + |11)) (x = 1, . . . ,n,y = 1, . . . ,m). 

1. Alice's preparation with Server 1 

For each column x = 1, . . . , n 
For each row y = 1, . . . ,m 

1.1 Alice chooses 

4,y Gij{0,7r/4,27r/4,...,77r/4} 

and sends it to Server 1, who measures his part of j^^^j,) in |±g )• 

1.2 Server 1 sends mx,y, the outcome of his measurement, to Alice. 

2. Alice's computation with Server 2 

2.1 Alice runs the authenticated blind quantum computing protocol (Protocol |4|) with 
Server 2, taking O^^y = O^^y + mx^yir. 
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A Measurement-based quantum computing 

We give a brief introduction to the MBQC (a more detailed description is available in \12\ [271 ttD 
I15j). Our notation follows that of [15]. 

Computations in the MBQC involve the following commands, which are applied to a single 
qubit i, or to two qubits i and j: 

• Single-qubit preparations in the state |+) = -75(10) + |1)) . 

• Two-qubit entanglement operators Eij := CTRL-Zij. 

• Single-qubit destructive measurements M" defined by orthogonal projections onto \+a) = 
4=(|0) + e*" |1)) (with classical outcome Sj = 0) and \—a) = ^(|0) ~ 6*°^ |1)) (with classical 
outcome Si = 1). Measurement outcomes are summed (modulo 2) resulting in expressions of 
the form s = 'Yliiei *« which are called signals. 

• Single-qubit corrections: X^, Z^ and phase rotations Zi{a) := e~2~. Corrections may be 
dependent on signals, denoted as Xf, Z? and Z?{a). 

Dependent corrections on a qubit can be always absorbed in the measurement angle of that 
qubit: 



Mf Zf =Mf+ 
Mf Zf (/3) =M, 



a—sP 
i 
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Figure 2: Pattern with arbitrary rotations. Squares indicate output qubits. 

A measurement pattern is described with a finite sequence of commands acting on a finite set of 
qubits, for which a subset are inputs and a subset are outputs. Measurement patterns are universal 
for quantum computing. Patterns are executed from right to left. Any pattern can be rewritten 
in a standard form where all the preparation and entangling command are performed only at the 
beginning of the computation. This is due to the following commutation relations: 



Eij X^ 






Eij Zj^ —Z,i Eij 
E,,Zt{a)=Zt{a)E, 



«j 



B Universality of the Brickwork state 

Theorem 8 (Universality). The brickwork state Qnxm is universal for quantum computation. Fur- 
thermore, we only require single-quhit measurements under the angles {0, ±7r/4, ib7r/2}, and mea- 
surements can he done layer-by-layer. 

Proof. It is well-known that the set U = {CTRL-X,H, -I} is a universal set of gates; we will show 
how the brickwork state can be used to compute any gate in U. Recall the rotation transformations: 
X{e) = e-^ and Z((9) = e" . 

Consider the measurement pattern and underlying graph state given in Figure [2j The implicit 
required corrections are implemented according to the flow condition [14] which guarantees deter- 
minism, and allows measurements to be performed layer-by-layer. The action of the measurement 
of the first three qubits on each wire is clearly given by the rotations in the right-hand part of 
Figure [2] [llj. The circuit identity follows since ctrl-Z commutes with Z{oi) and is self-inverse. 

By assigning specific values to the angles, we get the Hadamard gate (Figure [3|), the 7r/8 gate 
(Figure S]) and the identity (Figured]). By symmetry, we can get H or vr/S acting on logical qubit 2 
instead of logical qubit 1. 

In Figure m we give a pattern and show using circuit identities that it implements a ctrl-X. 
The verification of the circuit identities is straightforward. Again by symmetry, we can reverse the 
control and target qubits. Note that as long as we have ctrl-Xs between any pair of neighbours, 
this is sufficient to implement ctrl-X between further away qubits. 

We now show how we can tile the patterns as given in Figures [2] through [6] (the underlying graph 
states are the same) to implement any circuit using [/ as a universal set of gates. In Figure [T] we 
show how a 4-qubit circuit with three gates, \J\^ U2 and C/3 (each gate acting on a maximum of two 
adjacent qubits) can be implemented on the brickwork state (^9^4. We have completed the top and 
bottom logical wires with a pattern that implements the identity. Generalizing this technique, we 
get the family of brickwork states as given in Figure [H and Definition [TJ D 
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Figure 3: Implementation of a Hadamard gate. 




Figure 4: Implementation of a vr/S gate. 




Figure 5: Implementation of the identity. 
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Figure 6: Implementation of a CTRL-X. 
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Figure 7: Tiling for a 4-qubit circuit with three gates. 
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